server 2008 with exchange 2007, PDC used to be server 2003 until an outage forced me to elevate the 2008 box to BDC (yes i know the names are not used this way anymore ). long story short, 2003 machine was restored, then 2008 was elevated once the AD was functional. this was 2 weeks ago.

at the time, when i elevated the 2008 box i had to remove the AD certificate authority services in order to promote the machine to a DC. i made a backup of the CA and private key and registry settings of the server before promotion. after promotion, i restored the files i created into the server and the only problem seemed to be that internal domain users were getting random certificate warnings. i thought this was caused by the certificate being 3rd party, so i used the exchange management console to change the internal URLs for autodiscover to the external website and verified the internal DNS was set up to handle the redirection to the exchange server properly.

come in today, there are errors in NTfrs, DNS and NTDS on server 2003. i managed to solve the NTfrs replication issue, but i am still getting errors on the old DC (2003 server). also, new profiles are not able to be configured in outlook. when i try to configure them, i get prompted for my credentials which are never allowed to authenticate. it just keeps prompting until i hit cancel. at this point i get the error "Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The connection to Outlook must be online or connected to complete this action."

when i click OK here, the server name is the correct internal FQDN of the exchange server but the mailbox says "=SMTP:username@domain.local" and if i cancel at this point, it tries to authenticate me against the server again. some established domain users are getting prompted for credentials but if they enter their credentials properly (domain\username) they are able to get to their mail.

i'm not sure if it's related, but i have the following errors in my 2003 box:

Still this is a high risk operation, so back things up as this can completely wipe your AD. I would almost say reinstall and restore AD from backup. I hope there is a backup.

Are you sure replication is ok? With a corrupt database, what are you replicating? That DNS problem also points towards replication failure.
repadmin /replsummary
repadmin /showcert dsa
repadmin /viewlist
etc

authentication to the domain seems to be fine, as i had reformatted a PC yesterday during all the time i spent on the server and i was able to authenticate with two separate domain accounts. i will be working on AD at a later date for sure, but for now it doesn't seem like AD is a problem. and yes, there is at least a week's worth of backups

Autodiscover can be a real PITA. A few things to check: Make sure you have the latest Exchange service pack installed. There are authentication issues with the base Exchange 2k7 and Autodiscover. Make sure your 3rd party certificate has the autodiscover entry on the SAN. If your domain is contoso.com, you need a SAN entry that says autodiscover.contoso.com. Wildcard certs don't work well with autodiscover. Those are the most common problems I have run in to, if that does not fix it there are a number of Exchange & IIS configurations that need to be checked.

Autodiscover can be a real PITA. A few things to check: Make sure you have the latest Exchange service pack installed. There are authentication issues with the base Exchange 2k7 and Autodiscover. Make sure your 3rd party certificate has the autodiscover entry on the SAN. If your domain is contoso.com, you need a SAN entry that says autodiscover.contoso.com. Wildcard certs don't work well with autodiscover. Those are the most common problems I have run in to, if that does not fix it there are a number of Exchange & IIS configurations that need to be checked.

SAN only shows the external name, but i tracked down a copy of the cert from before promoting Exchange to a DC and it also only has the external name in the SAN. i.e. - SAN shows the publicly configured DNS name and not the internal, and does not have autodiscover listed. this same cert worked before the promotion to DC, so i'm hoping it will still work now.

i am going onsite before hours tomorrow to fix the AD, so at least i can rule that out after tomorrow. if you have that list of Exchange and IIS configurations i'd very much appreciate it

i found out i had the wrong cert enabled for autodiscover/smtp. when i enabled the 3rd party cert autodiscover began allowing authentication again. i'm still getting prompted for password, but at least it's autofilling the entries correctly now.

the 3rd party cert was always listed in the bindings correctly, but when local (domain) users opened outlook, it would prompt them warning about the cert coming from the local FQDN instead of the external, saying the cert was not valid. as of right now, i am not getting any more AD errors, but users are still getting prompted for credentials when they open outlook.

well, two weeks later and i think the issues are fixed. i had a scare moment when i created a new user for one of our remote offices and their outlook didn't configure correctly. apparently the mailbox has to be initialized before outlook anywhere will work correctly now, which i don't recall being the case before any of this happened.

apparently the mailbox has to be initialized before outlook anywhere will work correctly now, which i don't recall being the case before any of this happened.

Nothing should have to be done on the user PC before autodiscover configures Outlook, assuming it is working properly. What are the results of an Autodiscover test from the client? You can run the test by shift + right clicking the sys tray icon, IIRC.